3

I need to write some code which can gain root priveleges and execute system level operations. Here's what I've written (this is not the actual code, just to test if I'm doing things correctly or not):

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
    int current_uid = getuid();
    printf("My UID is: %d. My GID is: %d\n", current_uid, getgid());
    system("/usr/bin/id");
    if (setuid(0))
    {
        perror("setuid");
        return 1;
    }
    //I am now root!
    printf("My UID is: %d. My GID is: %d\n", getuid(), getgid());
    system("/usr/bin/id");
    //Time to drop back to regular user privileges
    setuid(current_uid);
    printf("My UID is: %d. My GID is: %d\n", getuid(), getgid());
    system("/usr/bin/id");
    return 0;
}

After doing gcc -o setuid setuid.c, I run ls -al on this to get following results:

tarun@staging:~$ ls -al setuid
-rwxr-xr-x 1 tarun tarun 9792 2009-10-03 18:09 setuid
adam@staging:~$

Trying to run the application results in:

tarun@staging:~$ ./setuid
My UID is: 1000. My GID is: 1000
uid=1000(tarun) gid=1000(tarun) groups=1000(tarun),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),125(sambashare),999(bumblebee)
setuid: Operation not permitted

I change the owner to root and set the sticky bits accordingly:

tarun@staging:~$ su - root
Password:
staging:~# cd /home/tarun
staging:/home/tarun# chown root.root setuid
staging:/home/tarun# chmod +s setuid
staging:/home/tarun# ls -al setuid
-rwsr-sr-x 1 root root 9792 2009-10-03 18:09 setuid
staging:/home/tarun# exit
logout
tarun@staging:~$

Executing the program now gives:

adam@staging:~$ ./setuid
My UID is: 1000. My GID is: 1000
uid=1000(tarun) gid=1000(tarun) groups=1000(tarun),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),125(sambashare),999(bumblebee)
setuid: Operation not permitted

While ideally it should have executed fully and changed my uid to 0. What am I doing wrong?

Roman Nikitchenko
  • 12,800
  • 7
  • 74
  • 110
Tarun Verma
  • 329
  • 5
  • 17

3 Answers3

5

No problem with your code, just check correct setuid / 'sgid' sequence:

sudo chmod 6775 setuid
sudo chown root:root setuid

You must set at least SUID, SGID and execution permissions (6555 mask). Also it's common for this case to set user/group write (6775 mask). Of course for security you can limit this to user write mask (6755).

And please beassure you don't drop permissions during re-compile:

$ ls -al
-rwsrwsr-x 1 root  root  8772 Feb  8 17:52 setuid

Just in case you (or future readers) need such guide: What is SUID and how to set SUID in Linux/Unix?

Regarding to issues with eCryptfs: here is article which should help you: https://wiki.archlinux.org/index.php/ECryptfs

tornado
  • 70
  • 9
Roman Nikitchenko
  • 12,800
  • 7
  • 74
  • 110
1

The sticky bit has an entirely different function. On a file it is largely undefined these days, while on a directory it prevents non-owners (other than root) from removing files in the directory regardless of the directory permissions.

You are looking for the set UID bit:

  chown root setuid
  chmod +s setuid

Obviously you must be root to set the SUID permission for a root owned file. Since the setUID bit exists, though, I suspect that you may be going to effort that is not required.

David Hoelzer
  • 15,862
  • 4
  • 48
  • 67
0

Change

chown root.root setuid

to

chown root setuid

or

chown root.tarun setuid
alk
  • 69,737
  • 10
  • 105
  • 255
  • 1
    Note: some file systems require the setuid allowed option to be set when mounted. In order to allow setuid operations. Check your mountpoint. – jim mcnamara Feb 08 '15 at 15:59